Hello,
I have followed this tutorial for deploying cert-manager
via Helm and Setting up a ClusterIssuer
to issue certificates for subdomains. I think the installation of cert-manager
and the ClusterIssuer
is correct, but upon requesting a certificate, the process gets stuck in the self-check
.
When I visit the .well-known/acme-challenge/
link that I find under Load Balancing within the cluster, I get the following reponse:
acme/autocert: host not configured
kubectl describe certificates
yields
> kubectl describe certificates
Name: subdomain-mycompany-de
Namespace: default
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"subdomain-mycompany-de","namespace":"default"},"spe...
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Cluster Name:
Creation Timestamp: 2018-07-20T15:36:46Z
Generation: 1
Resource Version: 719320
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/default/certificates/subdomain-mycompany-de
UID: b5e9fbee-8c32-11e8-9e8f-fa163e1d1396
Spec:
Acme:
Config:
Domains:
subdomain.mycompany.de
Http 01:
Ingress:
Ingress Class: nginx
Common Name: subdomain.mycompany.de
Dns Names:
subdomain.mycompany.de
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-cluster-staging
Secret Name: subdomain-mycompany-de-tls
Status:
Acme:
Order:
Challenges:
Authz URL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/xxx
Domain: subdomain.mycompany.de
Http 01:
Ingress:
Ingress Class: nginx
Key: xxxxxFiHeLU2Mu18KOccr63oxBjj9W01Gc-b8.ADlfw80vNARKHaZxbOEIBTIhxtsS468HGAWRDzGJgiM
Token: xxxxxFiHeLU2Mu18KOccr63oxBjj9W01Gc-b8
Type: http-01
URL: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxxxx
Wildcard: false
URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/xxxxx
Conditions:
Last Transition Time: 2018-07-23T07:13:19Z
Message: http-01 self check failed for domain "subdomain.mycompany.de"
Reason: ValidateError
Status: False
Type: Ready
Events: <none>
>
The authz
link to letsencrypt returns something like
{
"identifier": {
"type": "dns",
"value": "subdomain.mycompany.de"
},
"status": "pending",
"expires": "2018-07-27T12:11:51Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxxxxx7tMS6U-U3lscLB2qNJP_mWSG4ef2JE/150756494",
"token": "xxxxxNATFiHeLU2Mu18KOccr63oxBjj9W01Gc-b8"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxxxxx7tMS6U-U3lscLB2qNJP_mWSG4ef2JE/150756495",
"token": "xxxxxMeMbOfN_AZu6H02hg-O8dlxgSLxNJ7aTBwb28"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/xxxxxx7tMS6U-U3lscLB2qNJP_mWSG4ef2JE/150756496",
"token": xxxxxYzOzf44O9hyrfs9bQn4-XYYjMySoY6VQhUA"
}
]
}
I have two hypotheses what could be wrong, but don’t know how to test them:
- something is wrong within the cluster (the
acme/autocert: host not configured
response) - I hit the letsencrypt rate limits (not sure if the
pending
from theauthz
actually indicates that)
My gut feeling is that the first is more likely, or even that both issues apply.
Can somebody help me to test & fix this?
thanks in advance!
michael